Home Forums OS X Server and Client Discussion Open Directory OD Access Control in Leopard Server

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • June 10, 2008 at 6:51 pm #373057
    mkalien
    Participant

    Ok, so I’m FINALLY starting a migration project to rebuild our 10.4 OD Master on 10.5. Can anyone help me with the access controls. They seemed to have moved back to the slapd_macosxserver.conf file from cn=config. I thought we weren’t supposed to touch that file. Also, Open Directory Admin PDF says I can “Configure Record Privileges” with Server Admin and a button labeled “Privileges”. Anyone seen that button?

    the http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5_2nd_Ed.pdf

    One of the things i want to know how to do is lock down specific attributes or containers. Say I don’t want users adding to the shared white pages in cn=people container. What do I change of the current ACLs in the slapd_macosxserver.conf file to do this?

    [code]
    access to dn.base=”cn=people,dc=ldap,dc=biola,dc=edu” attrs=children
    by set=”user/uid & [cn=admin,cn=groups,dc=ldap,dc=biola,dc=edu]/memberUid” write
    by dn.exact=”cn=od1.biola.edu$,cn=computers,dc=ldap,dc=biola,dc=edu” write
    by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write
    by dynacl/idattr/OP:ADD.exact=USERS write
    by dynacl/idattr/OP:DELETE.exact=OWNER write
    by * read

    access to dn.onelevel=”cn=people,dc=ldap,dc=biola,dc=edu” attrs=entry
    by set=”user/uid & [cn=admin,cn=groups,dc=ldap,dc=biola,dc=edu]/memberUid” write
    by dn.exact=”cn=od1.biola.edu$,cn=computers,dc=ldap,dc=biola,dc=edu” write
    by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write
    by dnattr=creatorsName write
    by dynacl/idattr.exact=OWNER write
    by * read

    access to dn.onelevel=”cn=people,dc=ldap,dc=biola,dc=edu” attrs=@extensibleObject
    by set=”user/uid & [cn=admin,cn=groups,dc=ldap,dc=biola,dc=edu]/memberUid” write
    by dn.exact=”cn=od1.biola.edu$,cn=computers,dc=ldap,dc=biola,dc=edu” write
    by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write
    by dynacl/idattr.exact=OWNER write
    by * read
    [/code]

    August 28, 2008 at 7:33 am #373914
    klausf
    Participant

    I’ve got exactly the same problem. But investigating further it seems to me that LDAP does not even read the configuration file /etc/openldap/slapd_macosxserver.conf.

    Symptom: Changes in the “access to”-statements in /etc/openldap/slapd_macosxserver.conf cannot be verified in the running server.

    After some unsuccessful tests I deliberately entered a syntax-error in slapd_macosxserver.conf and restarted slapd by issuing the command killall -HUP slapd. The logfile shows that the process is indeed restarted, ps shows that slapd now has got a different process-id. But there is no indication of the syntax-error in any of the logfiles.

    I did ‘touch timestamp’ in /etc/openldap:

    [code]
    -rw——-@ 1 root wheel 10944 Aug 28 09:18 slapd_macosxserver.conf
    -rw——-@ 1 root wheel 1964 Aug 28 09:18 slapd.conf
    drwxr-xr-x 141 root wheel 4794 Aug 28 09:18 ..
    -rw-r–r– 1 root wheel 0 Aug 28 09:19 timestamp
    drwxr-xr-x 16 root wheel 544 Aug 28 09:19 .
    [/code]

    and then killall -HUP slapd. Surprise slapd_macosxserver.conf is not read!!! :

    [code]
    -rw——-@ 1 root wheel 1964 Aug 28 09:18 slapd.conf
    drwxr-xr-x 141 root wheel 4794 Aug 28 09:18 ..
    -rw-r–r– 1 root wheel 0 Aug 28 09:19 timestamp
    -rw-r–r–@ 1 root wheel 73 Aug 28 09:19 rootDSE.ldif
    -rw-r–r– 1 root wheel 300 Aug 28 09:19 ldap.conf
    drwxr-xr-x 16 root wheel 544 Aug 28 09:19 .
    [/code]

    finally find . -anewer timestamp confirms and adds a lot of information
    [code]
    /ldap.conf
    ./rootDSE.ldif
    ./slapd.d/cn=config
    ./slapd.d/cn=config/cn=include{0}.ldif
    ./slapd.d/cn=config/cn=include{1}.ldif
    ./slapd.d/cn=config/cn=include{2}.ldif
    ./slapd.d/cn=config/cn=include{3}.ldif
    ./slapd.d/cn=config/cn=include{4}.ldif
    ./slapd.d/cn=config/cn=include{5}.ldif
    ./slapd.d/cn=config/cn=include{6}.ldif
    ./slapd.d/cn=config/cn=include{7}.ldif
    ./slapd.d/cn=config/cn=include{8}.ldif
    ./slapd.d/cn=config/cn=schema
    ./slapd.d/cn=config/cn=schema/cn={0}core.ldif
    ./slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
    ./slapd.d/cn=config/cn=schema/cn={2}nis.ldif
    ./slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
    ./slapd.d/cn=config/cn=schema/cn={4}misc.ldif
    ./slapd.d/cn=config/cn=schema/cn={5}samba.ldif
    ./slapd.d/cn=config/cn=schema/cn={6}fmserver.ldif
    ./slapd.d/cn=config/cn=schema/cn={7}apple.ldif
    ./slapd.d/cn=config/cn=schema/cn={8}slapd_macosxserver.ldif
    ./slapd.d/cn=config/cn=schema/cn={9}customschema.ldif
    ./slapd.d/cn=config/cn=schema.ldif
    ./slapd.d/cn=config/olcDatabase={-1}frontend.ldif
    ./slapd.d/cn=config/olcDatabase={0}config.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={0}unique.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={1}dynid.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={2}dynid.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={3}dynid.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={4}dynid.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={5}dynid.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={6}dynid.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb/olcOverlay={7}nestedgroup.ldif
    ./slapd.d/cn=config/olcDatabase={1}bdb.ldif
    ./slapd.d/cn=config.ldif
    [/code]

    Can anybody summorize how apple’s slapd configures itsself?

    Can anybody explain me how to limit the read access of certain user’s attributes?

    Greetings
    Klaus

    August 29, 2008 at 5:18 am #373935
    Timothy Perfitt
    Member

    you need to edit cn=config directly and the changes are applied live. Grab an LDAP editor that allows read/write to an ldap store, like LDAPBrowser. When you specify the DN, do not specify it with your base DN, but rather just “cn=config” (not cn=config,dc=example,dc=com). Select oldDatabase={1}bdb and look at the olcAccess attributes. If you modify/add this attribute, it will immediately take effect (don’t have to HUP slapd).

    As for modifying the ACL, find one that is similar, duplicate it and modify it.

    Note that you could use LDIF files to modify these attributes, but LDAPBrowser allows you a GUI way to do it.

    tim

    September 3, 2008 at 3:09 am #373965
    fherbert
    Participant

    After investigating this more, it would not appear to be very straight forward to achieve this. If you create a new test OD (open Directory) account and make it a limited admin, then have a look at the updated/new olcAccess entries, you will see something similar to :

    [code]
    olcAccess: {3}to dn.onelevel=”cn=groups,dc=my,dc=od,dc=com” a
    ttrs=apple-mcxflags,apple-mcxsettings by dynacl/idattr/APPLYTO:635DF24E-E00A
    -4C72-9DFD-BDE9A78F505D.exact=AE04147C-41BD-4B86-99E9-0DC14332ABB0 write by
    set=”user/uid & [cn=admin,cn=groups,dc=my,dc=od,dc=com]/memb
    erUid” write by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write by dn.exact=”c
    n=my.od.com$,cn=computers,dc=my,dc=od,dc=com”
    write by * read

    [/code]

    where [b]635DF24E-E00A-4C72-9DFD-BDE9A78F505D[/b] is the apple-generateduid of the group whose attributes that user is allow to change
    and [b]AE04147C-41BD-4B86-99E9-0DC14332ABB0[/b] is the apple-generateduid of the user able to write the apple-mcxflags and apple-mcxsettings attributes

    So…. I tried to create a new ACL for a computer list so that same user would be able to write the apple-mcxflags and apple-mcxsettings attributes using the following acl:

    [code]
    olcAccess: {27}to dn.onelevel=”cn=computer_lists,dc=my,dc=od,dc=com” attrs=apple-mcxflags,apple-mcxsettings
    by dynacl/idattr/APPLYTO:8F0F2D81-E1B9-4830-B4AB-2F854FA74422.exact=AE04147C-41BD-4B86-99E9-0DC14332ABB0 write
    by set=”user/uid & [cn=admin,cn=groups,dc=my,dc=od,dc=com]/memberUid” write
    by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write
    by dn.exact=”cn=its-macmgr.my.od.com$,cn=computers,dc=my,dc=od,dc=com” write
    by * read

    [/code]

    where [b]8F0F2D81-E1B9-4830-B4AB-2F854FA74422[/b] is the apple-generateduid of the computer list I want to user to be able to change the apple-mcxflags and apple-mcxsettings attributes of
    and [b]AE04147C-41BD-4B86-99E9-0DC14332ABB0[/b] is the apple-generateduid of the user able to write the apple-mcxflags and apple-mcxsettings attributes of that group

    But whenever I try to add this to OD via workgroup manager (using the all records inspector) I get an error (eDSAttributeNotFound -14134) and when I try to use a directory editor (apache directory studio) I get an LDAP error 80.

    Anyone else got any suggestions on this??

    By the way the 3rd edition of Open_Directory_Admin_v10.5 removes any reference to Configuring Record Privileges.. must have been put in the too hard basket??

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.